In case of faulty copy_from_user call inside ffs_epfile_ioctl, error code is
saved in a variable. However, this variable is later overwritten in every possible
path, which overshadows initial assignment.
This patch fixes it by returning the error code immediately and exiting the function.
Error discovered in coverity scan - CID 1583682
Signed-off-by: Karol Przybylski <karprzy7@xxxxxxxxx>
---
drivers/usb/gadget/function/f_fs.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index 2920f8000bbd..00f52c9bb716 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -1735,8 +1735,7 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code,
int fd;
if (copy_from_user(&fd, (void __user *)value, sizeof(fd))) {
- ret = -EFAULT;
- break;
+ return -EFAULT;
}
return ffs_dmabuf_attach(file, fd);
@@ -1746,8 +1745,7 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code,
int fd;
if (copy_from_user(&fd, (void __user *)value, sizeof(fd))) {
- ret = -EFAULT;
- break;
+ return -EFAULT;
}
return ffs_dmabuf_detach(file, fd);
@@ -1757,8 +1755,7 @@ static long ffs_epfile_ioctl(struct file *file, unsigned code,
struct usb_ffs_dmabuf_transfer_req req;
if (copy_from_user(&req, (void __user *)value, sizeof(req))) {
- ret = -EFAULT;
- break;
+ return -EFAULT;
}
return ffs_dmabuf_transfer(file, &req);
--
2.34.1
